|
Q1. |
What type of virus is it?
|
|
A1: |
Macro Virus (Virus name begins with WM/XM/A97M/P98M/
PP97M/PU97M/V5M/W97M/X97M) - Close all office applications and rescan
with disinfection enabled. |
|
A2: |
Boot/MBR Virus - Go to rescue disk.
|
|
A3: |
Tool (Virus name will end with @tool or be
something like W32/Virtool) - Delete the file. |
|
A4. |
Spyware/Adware (Virus name will end with @adw
or @spy) – Uninstall the software. If that is not possible then
disconnect the machine from the network and go to Q2. |
|
A5: |
Script Virus (Virus name starts with
ASP/BAT/CGI/ HLP/HTML/IRC/IS/Java/JS/PERL/PHP/Script/UNIX/WBS/VBS) -
Kill all script hosts, disable all scripting, disconnect from the
network and scan the computer for infections. Delete or edit all
infected files. |
|
A6: |
File Infector (If the virus name contains a
dot followed by a number optionally followed by a dot and capital
letters) - Go to rescue disk. |
|
A7 |
Worm/Bot/Trojan/Backdoor (If it did not
match any of the above) - Disconnect the machine from the network and
disable all scripting and go to Q2. |
| |
|
|
Q2: |
Can you find the process
in Task Manager? |
|
A1: |
Yes - Go to Q3 |
|
A2: |
No - Go to Q4 |
| |
|
|
Q3: |
Can you kill the process? |
|
A1: |
Yes - Go to Q5 |
|
A2: |
No - Go to Q4 |
| |
|
|
Q4: |
Boot into safe mode and
scan for the virus. Is the virus still active? |
|
A1: |
Yes: Go to rescue disk |
|
A2: |
No - Go to Q5. |
| |
|
|
Q5: |
Is the process restarted
after being killed? |
|
A1: |
Yes. Go to Q4. |
|
A2: |
No. Identify the executable names and
search for them in the registry. Go to Q6. |
| |
|
|
Q6. |
Identify the executable
names and search for them in the registry. Do you find them in the
registry? |
|
A1: |
Yes: Go to Q7 |
|
A2: |
No. Delete the files, reboot and scan for
viruses again. If you find the same virus, call technical support.
|
| |
|
|
Q7. |
Does any of the registry
keys point to a COM object or a BHO
(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects)? |
|
A1: |
Yes. Unregister/Uninstall them. Internet
Explorer 6 has functionality that can help, otherwise use third party
tools. Go to Q7. |
|
A2: |
No. Go to Q8. |
| |
|
|
Q8. |
Does any of the registry
keys point to a LSP (HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\
Catalog_Entries)? |
|
A1: |
Yes. Remove -very- carefully. Preferably
use a tool that can do this safely. Go to Q7. |
|
A2: |
No. Go to Q9. |
| |
|
|
Q9. |
Are there any
HKEY_CLASSES_ROOT keys or other sensitive keys? |
|
A1: |
Yes. Fix them carefully, making sure the
machine will still work when you are finished. Go to Q7 until no keys
remaining. Then go to Q10. |
|
A2: |
No. Delete all the registry entries with
the executable names. Go to Q7 until no keys remaining. Then go to Q10.
|
| |
|
|
Q10.
|
Is it registered as a
service? |
|
A1: |
Yes. Un-register the service or delete the
registry entry –carefully-. Repeat for all services and then Go to Q11. |
|
A2: |
No. Go to Q11. |
| |
|
|
Q11. |
Is it registered as a
Winlogin helper? (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
subkey) |
|
A1: |
Yes. Go to Q16 |
|
A2: |
No. Go to Q12 |
| |
|
|
Q12. |
Was
%WINDOWS%\system32\drivers\etc\host modified? |
|
A1: |
Yes. Fix it. Go to Q13. |
|
A2: |
No. Go to Q13. |
| |
|
|
Q13. |
Is the infected files
marked hidden, system or read-only? |
|
A1: |
Yes. Unprotect them. Go to Q14.
|
|
A2: |
No. Go to Q14. |
| |
|
|
Q14. |
Delete the infected
files. Was it successful? |
|
A1: |
Yes. Reboot and rescan. Hopefully you will
be virus free now. |
|
A2: |
No. Either the virus was restarted and is
still active, or the file is protected using some other access
permission structure. Go to Q15. |
| |
|
|
Q15. |
Are you running in safe
mode? |
|
A1: |
Yes:
Forward a sample of the virus to the virus lab for more
instructions. |
|
A2: |
No, go to Q4. |
| |
|
|
Q16. |
What operating system is
infected? |
|
A1: |
Windows 9x/ME. Boot from the Rescue disk
and clean the system. |
|
A2: |
Windows NT/2000/2003. In Windows Explorer
select file, right-click, properties. Remove all permissions from file.
Actively deny all permissions to all
users/administrators/network/service/system. Reboot. Delete file and
clean registry |
|
A3: |
Windows XP. Go to Q17. |
| |
|
|
Q17 |
Is Simple File Sharing
Enabled? ( Windows Explorer / Folder Options / View / Simple File
Sharing ) |
|
A1: |
Yes. Disable it and go to Q16 and follow
the Windows 2000 instructions |
|
A2: |
No. Go to Q16 and follow the Windows 2000
instructions. |
| |
|
Note 1: In some cases the Authentium/Command Rescue disk is
insufficient to deal with what is required of it. Ex. File Viruses on NTFS file systems.
See your administrator for other approaches.
Note 2:
The command line scanner "csav.exe" can be used in safe mode. |
